Help Center/ Object Storage Service/ User Guide/ Data Security/ Server-Side Encryption/ Using OBS Bucket Keys to Reduce SSE-KMS Costs
Updated on 2026-02-12 GMT+08:00

Using OBS Bucket Keys to Reduce SSE-KMS Costs

When you use SSE-KMS to encrypt a large number of objects, OBS sends numerous requests to KMS to derive DEKs. This increases latency and causes high traffic to KMS.

To reduce the number of KMS calls, you can configure your buckets or objects to use bucket keys for SSE-KMS. When you do so, KMS generates a bucket key with a short validity period and OBS stores the bucket key in its cache. OBS then uses the cached bucket key to derive the DEKs for encrypting and decrypting objects, without sending requests to KMS. This reduces traffic from OBS to KMS, thereby lowering costs and improving performance. During encryption and decryption, KMS manages CMKs and bucket keys, while OBS caches bucket keys and stores and manages DEKs.

Figure 1 Derivation process of bucket keys and DEKs

Constraints

  • Currently, cross-region replication does not support bucket keys.
  • To secure data, each requester obtains a unique bucket-level key from KMS at least once to ensure that KMS can check whether the requester has access to the key. OBS treats callers as different requesters when they use different IAM users or the same IAM user with different permissions.
  • To configure a bucket key for an existing object that does not use the bucket key, you need to re-upload or copy the object and enable the bucket key at the object level in the upload or copy request.

Billing

If you use SSE-KMS, you will be billed for using keys. For details, see KMS Billing Items.

Bucket-Level and Object-Level Bucket Keys

OBS supports bucket-level and object-level bucket keys. Objects can inherit the encryption settings from their bucket, or you can separately configure encryption for objects. For details, see Figure 2. In an OBS request, if x-obs-server-side-encryption-bucket-key-enabled is set to true, the bucket key is enabled; if this header is set to false, the bucket key is disabled.

Figure 2 Bucket-level and object-level bucket keys working together